QRCode

This package does not generate QRCodes for 2FA.

If you are looking for Google Two-Factor Authentication, but also need to generate QRCode for it, you can use the Google2FA QRCode package, which integrates this package and also generates QRCodes using the BaconQRCode library, or check options on how to do it yourself here in the docs.

Using It

Instantiate it directly

How To Generate And Use Two Factor Authentication

Generate a secret key for your user and save it:

$user->google2fa_secret=$google2fa->generateSecretKey();

Generating QRCodes

The securer way of creating QRCode is to do it yourself or using a library. First you have to install a QR code generator e.g. BaconQrCode, as stated above, then you just have to generate the QR code url using:

Server Time

It's really important that you keep your server time in sync with some NTP server, on Ubuntu you can add this to the crontab:

sudo service ntp stop
sudo ntpd -gq
sudo service ntp start

Validation Window

To avoid problems with clocks that are slightly out of sync, we do not check against the current key only but also consider $window keys each from the past and future. You can pass $window as optional third parameter to verifyKey, it defaults to 4. A new key is generated every 30 seconds, so this window includes keys from the previous two and next two minutes.

An attacker might be able to watch the user entering his credentials and one time key.
Without further precautions, the key remains valid until it is no longer within the window of the server time. In order to prevent usage of a one time key that has already been used, you can utilize the verifyKeyNewer function.

Note that $timestamp either false (if the key is invalid or has been used before) or the provided key's unix timestamp divided by the key regeneration period of 30 seconds.

Using a Bigger and Prefixing the Secret Key

Although the probability of collision of a 16 bytes (128 bits) random string is very low, you can harden it by:

Use a bigger key

$secretKey=$google2fa->generateSecretKey(32); // defaults to 16 bytes

You can prefix your secret keys

You may prefix your secret keys, but you have to understand that, as your secret key must have length in power of 2, your prefix will have to have a complementary size. So if your key is 16 bytes long, if you add a prefix it must be also 16 bytes long, but as your prefixes will be converted to base 32, the max length of your prefix is 10 bytes. So, those are the sizes you can use in your prefixes:

Window

The Window property defines how long a OTP will work, or how many cycles it will last. A key has a 30 seconds cycle, setting the window to 0 will make the key lasts for those 30 seconds, setting it to 2 will make it last for 120 seconds. This is how you set the window:

$secretKey=$google2fa->setWindow(4);

But you can also set the window while checking the key. If you need to set a window of 4 during key verification, this is how you do:

$isValid=$google2fa->verifyKey($seed, $key, 4);

Key Regeneration Interval

You can change key regeneration interval, which defaults to 30 seconds, but remember that this is a default value on most authentication apps, like Google Authenticator, which will, basically, make your app out of sync with them.

$google2fa->setKeyRegeneration(40);

Google Authenticator secret key compatibility

To be compatible with Google Authenticator, your (converted to base 32) secret key length must be at least 8 chars and be a power of 2: 8, 16, 32, 64...

So, to prevent errors, you can do something like this while generating it: